All right. Well, hey, good afternoon, everyone. Welcome to day one of the Barclays Tech Conference. My name is Saket Kalia. I cover software here. Honored to have with us the team here from Fortinet. So we've got Michael Xie, Founder, President, and Chief Technology Officer. We've also got Keith Jensen, Chief Financial Officer. We've got Christiane Ohlgart, Chief Accounting Officer in the back as well as Aaron Ovadia, Head of Investor Relations. So we've got a full crew, and I know it's gonna be a really fun discussion. Maybe around that point, we've got about 30 minutes together. Let's say maybe the first 20 or 25 doing some fireside chat with the team, which I know is gonna be fun, and then we'd love to make this interactive.
So any questions, just pop up your hand, and we've got a mic right around the back. So with that, Michael, Keith, thanks so much for being with us here today.
Thanks for having us.
Yeah, absolutely. Keith, I'd love to dig into the three different segments of Fortinet's business a little bit. And I think a good place to start is in Secure Networking. You know, a lot of talk just about cyclicality of this business and different drivers. But if we think about this market sort of excluding the hardware cyclicality.
Mm-hmm.
How do you sort of think about the growth rate here in the medium term? And, what are some of the main drivers that you're most excited about in that market, if you will?
Yeah, I think you're making reference to the fact we have three pillars. We talk about network security, which is.
Mm-hmm.
the one that we're talking about here, but also Unified SASE and SecOps, and I'm sure we'll talk more about those.
For sure.
As we went through the process of building out the midterm model that we provided at the Analyst Day a few weeks ago, we looked it was a little more complicated than it has been historically because we've expanded well beyond the firewall now into SASE solutions in areas like SIEM and SOAR. The network equipment part of the business includes a healthy contribution from both fire, pardon me, from access points and switches, and also a significant contribution now from software licenses. We kind of said, well, what are we gonna start with? We really start with Gartner. I don't mean to give them an unfair plug, but I mean, that is the place that we start with. We looked at the growth and, you know, what Gartner's anticipating over the next several years, probably about 7%.
And then we add to that the growth in the other pillars. But as you look at network security, I think I would call out a couple of things. I think one is the OT marketplace where we believe we have a leadership position, has grown robustly, continues to grow robustly, and we would expect that to continue on. I think also in this elevated threat environment, we're seeing a lot more, call it regulatory influence, and that would include cyber insurance companies as well as a wide array of governmental regulators and industry regulators, that are bringing new firewall use cases that need to be secure.
We're seeing, having a lot of conversations with customers, particularly around that edge, where they maybe before, you know, were not sensitive to it, but now they're being driven there through maybe an ISO or a NIST security or something like that. So the number of use cases continues to expand. And then the convergence. Lastly, I would talk to the convergence of switches and access points. Honestly, I was very shy about talking about our switch business many years ago. I drove Michael crazy with my shyness. But now I'm completely a convert now because of what it really does in terms of creates that more of an automation and more of a consolidation function that exists with customers. And it's something that we're seeing a very strong pull from our customers.
Super helpful. You know, maybe the right, so that's kind of the normalized growth rate. I think that—and or the components of a normalized growth rate. Keith, I think you gave a lot of helpful information, you know, around this idea of a firewall upgrade cycle here in 2025, as a result of maybe some end-of-support in 2026. Right, as another driver, maybe a little bit more of a cyclical driver, but can you just remind us how big that cohort is and how much it could add to sort of incremental product billings over the next year or two?
Yeah, I'm gonna be a little bit shy about talking specifically if I can in terms of numbers, but.
No worries.
You know, throughout time, we've talked about the fact we have multiple products. So you don't really see the evidence of a product refresh cycle in our income statement because it's just a series of overlapping product life cycles. As we sat down for the Analyst Day in the 2025 planning session, we were looking at some of our data. And Christiane, again, thank you very much for that. What we really saw was something unusual, which is this cohort of refreshes in 2026. And more specifically, it's products that we announced in 2021 that we're going to go end of service in 2026. We've done some math on that. We looked at the unit count. We provided that number, 650,000 units. And then as we converted units to dollars, internally and then some of our commentary, you know, we took certain haircuts.
You know, we looked at those units that are no longer pinging home, as I would call them. We excluded those as part of that conversion.
Mm-hmm.
We made certain assumptions around, you know, how much of that refresh has already started, for a variety of reasons and how much churn we have. And then we quietly uttered a number of $400 million-$450 million for the 2026 cohort. I would encourage everybody in the audience to do your own math. I mean, I think there's, you know, a fair amount of assumptions that go into it. But keep in mind also there's another cohort for 2027 that follows after that. And also that while we're not. We're talking here only about product revenue, we're not talking about the run rate for services nor the expansion for these other parts of our business now, these other pillars, whether they're SASE or SecOps solutions.
Yeah. Yeah. I think that's a great, great dovetail for you, Michael. I mean, you know, I think there's been a conversation just around whether future firewall refresh cycles could be impacted by form factor shifts, right, and growing adoption of kind of SASE and SSE solutions. What's your view there? And I mean, I guess the question is, are you seeing SASE take share from the existing hardware firewall market, whether it be branch or data center or any form factor shift, right, to virtual as you think about, again, that big cohort that comes up for refresh?
Yeah. So the SASE, I mean, if you break down the technology, it's essentially a similar technology as what people have been running on the edge for a very long time. It's the, you know, the user protection, single sign-on, application protection, the firewall inspection, and the SD-WAN technology. So, what we have seen so far is because in our business, particularly, it's more like a customer-driven. And the customer, they adopt the cybersecurity company when there's elevated cyber threats out there, which is happening today. And, I think what we see from the customer is it's more common to see a much more, like, hybrid solution with both the edge and the cloud protection combined. And we do believe that is a very effective model where you have the traditional edge protection to protect your offices, data centers, and in the, like, in your cloud.
And then you have the SSE protecting the people who work from home or, you know, traveling employees.
Mm-hmm.
So when they weave together, they're becoming very effective. But if you try to rip one of them out to place, like, for example, you try to use SSE in an environment, let's say, in a data center that's actually not suitable for SSE protection, I mean, you can do that maybe with 10X the cost. And we don't see users actually doing that. I think it's more common that users make sensible decisions where they combine these protections together to make it most effective, I mean, the most in terms of the protection effectiveness as well as the cost effectiveness.
Yeah. Yeah. Absolutely. Maybe that's a good, a natural segue just into the, the second pillar of the business, right, which is Unified SASE. And, and maybe build a little on, on a little bit of what you said with the, with the technical question. You know, I think it's really interesting when Fortinet talks about SASE, it's something that turns on within minutes, right? But when other vendors talk about it, SASE sounds like something, you know, a lot more of an architectural shift. How do you think about the differences there, Michael?
So, I mean, that is an interesting point of difference from the messaging. But, you know, being a technologist, and I think a lot of the customers on the technology side, they understand the SASE actually doesn't provide you with the additional, you know, like, features or capabilities that the traditional edge protection offers you. It's more a way of, you know, how you architect your network traffic to going through and how you consume that, whether by, you know, like, a subscription or by a traditional CapEx, and then you own the device and then continue to pump traffic through that. So, I mean, it's one thing is, how marketing works. The other thing is sometimes not entirely exactly the same as, like, how technology works.
I think on the technology side, the SASE and the SSE provides very similar capabilities in terms of protection, but they do different when the particular use case to come into the picture. For example, you know, a lot of the guys here travel from everywhere around the world to San Francisco today, where your home office may be at, you know, New York or maybe Sydney, Australia. In the traditional way, if your protection is only provided by your home office, then you are either out of protection with your laptops today or your phones, or you would have to dial back into, you know, New York or Sydney, wherever you to get the level of protection that you need, and with the SASE, obviously, it offers a different option where you just basically assume it's fully SASE, obviously.
You dial into a PoP in Sunnyvale, and then which gives you a much shorter path towards that, the protection, and then that, you know, that same firewall in Sunnyvale will inspect your traffic, log, you know, and send to the SecOps and do all the stuff that you would be doing if you were in your home office.
Yeah.
So I think in that situation, basically, your IT department would enable SASE on your laptop, but he would not rip off your edge protection in your HQ office.
Got it.
Does that make sense?
Yeah, that does. That does actually. Keith, maybe for you, can you just remind us how big your SASE business is and how much of it is maybe coming from SD-WAN versus SSE and whether that's a mix that's gonna evolve over time?
Yeah, I do think it'll be a mix. When you look at the three pillars and you start peeling back the onion on Unified SASE, to your point, it includes not only the SSE functionality but also other cloud functionality and SD-WAN, and SD-WAN is over half of that Unified SASE mix, and then you have cloud and SSE that are kind of making up the remainder of that. SSE is not yet the largest, and I think it's got a little ways to go, but SD-WAN, you know, has gone through its cycle where the payback period and the ROI from the MPLS savings, you know, I think a lot of companies moved into that in a very big way, and now you're seeing SD-WAN really evolve to being, you know, a key component to the Unified SASE or the SSE technology.
I would expect, for the foreseeable future, that, you know, SD-WAN, which of a percentage of total business is probably running about 12%-13%, to probably stay in that neighborhood. I think the SSE element, which people sometimes call SASE, but it's really the SSE element, as we provided some numbers about ARR growth and billings growth in that space, I think that will be easily the fastest growing part of that segment, if not all the segments.
Yeah. Yeah. Absolutely. Michael, maybe just to stay on SASE because I think it's, you know, this is really the future, I think, of network security in a lot of ways. Maybe just to stay on SASE, what benefit do you think the firewall vendors have here versus the pure SASE vendors that are, you know, the pure SASE vendors are trying to displace the firewall, right? Firewall vendors, right, have a natural advantage as well. How do you think about that natural advantage within SASE or SSE?
Absolutely. So, I think for customers looking for effective cyber security protections, right, I think there's a couple of options to do it. In the old days where, you know, a lot of them rely on pure edge protection that basically they have on-prem devices, firewalls, and, you know, SD-WANs only. And these, you know, proving difficult when you have, you know, a large number of people work remotely from home or, like, you know, traveling, and you want them to be brought up to the same level of protection. And then SASE comes into the picture that actually offers a very good connectivity, low latency, and good protection.
But on the other hand, the SASE itself is more like complementary to the traditional on-prem protection rather than. I think in some cases, there are companies that are looking, "Oh, we could maybe just tear down the on-prem and then pipe everything to SASE." But that, you know, in a lot of cases, it does not make enough business sense to convince the customer to do that. I think in some cases, it might work, but I think in most cases, the two working together would form a much more effective protection. So I think in the case of the vendors, we actually see it's advantageous for vendors like us who came from the edge devices where we have the firewall and we have owned the on-prem solutions. And we add the SASE on top of that. So we provide this solution.
It's a lot more flexible than.
Yeah.
Some of the newer vendors where they only have the SSE, so which requires they pipe everything to one of their data centers.
Right.
To get protected. That in a lot of cases would be either too, you know, like, too expensive or sometimes it introduces latency where it's absolutely not necessary because from the office network, you can directly go to the internet if you have the on-prem firewall or SD-WAN devices.
Mm-hmm.
But if you're SASE only, then you gotta take, like, one more hop to go to the vendor's data center. So, I mean, I'm not seeing that as a future. I think the future is more hybrid, and then it's, you know, for the more flexible vendors to.
Mm-hmm.
Doing more of those deals.
Yeah. So interesting. Keith, when it comes to building out your infrastructure for SSE, I think you and Ken have talked about some of the longer-term, cost advantages of building out your own POPs as opposed to maybe using a public cloud provider like GCP. You can use it, of course, to accelerate some things, right? But I think there's a clear.
Yeah.
Preference, right, for you know, for kind of owning that, if you will, long term. Can you just remind us maybe how many POPs you've built so far and how should we think about sort of the CapEx moving forward as that coverage expands?
Yeah. I mean, one of the attractions to our design, if you will, is that we have, yeah, we see a long-term cost to deliver the solution that's gonna be much less than some of the competitors. You know, a bit of history here in terms of how we ended up in this spot is, where people were going through and evaluating new SASE solutions maybe two years ago, there was a very common question about how many POPs do you have. And we had at the time 19, and.
I remember.
Somebody had a cutoff of 20 that we felt was rather about either arbitrary or punitive. We're still not sure today which of it was. But, you know, so we went out and we established a partnership with one of the global cloud providers that quickly took that number well over 100. And what it really did was remove that buying objection. I don't know that it was really core to our long-term architectural design that Michael's talked about. We will continue to have, you know, a relationship with that cloud provider or others, for latency reasons in certain locations. But I think what's really key is the combination of our POPs, if you will, and in some cases our data centers as well as colos, because that drastically changes the cost to deliver.
We will still continue to offer the cloud provider option to customers at a higher price point, and they may opt to do that going forward as we would expect. But what the POP and what the colos do in our own data center also allows us to run our SASE technology on our own technology, on our own firewalls inside of these locations, which provides, you know, we think an operational advantage and also an economic advantage. And then to the question, well, how much does this cost, right? And, Ken and I had this conversation, in the last week or so, and I said, you know, it really, Ken, in terms of the pacing here as we build out POPs, and let's not confuse POPs for data centers because there's a very different price point, okay?
Yeah. Good point.
I don't have the energy capacity to take down a full data center, but you know, as we move through this year and we're probably in the range of $300 million-$400 million of CapEx spending, you know, Ken, if we think that that number's gonna change dramatically, we should start talking to the street about that, and the comment was, "No, it's not gonna change dramatically." I would offer a caveat that when you're buying real estate or infrastructure, it's lumpy. You know, you're not buying it one square foot at a time, so you know, and deals can push from one quarter to another or be accelerated for different reasons.
But, you know, I think that's kind of what the number that we'd like people to be thinking about as we get closer and closer to maybe form more formally talking about it when we give guidance in 2025.
Yeah. Yeah. Absolutely. Michael, we talked about two of the three pillars. I wanna make sure we talk about the third one, briefly, which is just on the SecOps side. You know, I think an interesting point that we took away from the analyst here was sort of the opportunity to use Fortinet's data lake as a starting point to sell more services, you know, kind of across the portfolio. Can you just talk a little bit about that cross-sell opportunity and how you can use that data lake as maybe a stepping stone, right, to show customers the broader portfolio?
Yeah. I think, in the past, a lot of the security data are very siloed. You know, there's a large, different, like, geolocations, and then there's, you know, the firewall. There's the endpoint logs, and all those are going to different consoles. You know, there's a different technology or SIEM and SOAR. There's, you know, all kinds of stuff, trying to basically make sense out of that tremendous amount of data, which is, you know, generated every second of the day. So what we have provided is basically we have a tier that we call a fabric, based on data lake that we allow, you know, not only our own security data, but also secure data from our partners, security vendors to be aggregated together.
And then on top of that, we offer features like, you know, SIEM or SOAR for additional visibility and automation. And then we provide that in a way that we can basically have a multi-tiered, have them all linked together. And then the processing is happening at the lower-end nodes, but then you get visibility on the top. So, for example, like, a global, you know, company as a Fortune 500 CEO or maybe more like a CISO, he would be able to have a single console to see the output from all these different types of tools over his data on all the devices at all the different geolocations. So we built out an infrastructure to help that still materialize.
Got it. I'm gonna move to some financial questions here for Keith, but before we do that, any questions here from the audience? Keith, maybe for you, I mean, I'd love to spend a little bit of time just on the three to five-year targets that you provided at Analyst Day, which was a really useful event, by the way. And maybe we could start with top line, right? I think we said we expect, you know, greater than a 12% CAGR on billings and revenue. You correct me there if I'm wrong. But I'd love if you could just walk us through some of the higher-level assumptions, right, that are underpinning that growth target. Yeah, maybe we'll leave it open at the back.
Yeah. I mean, I don't think people are gonna be terribly surprised about our approach, but I'll recap it. As we talked about in the beginning of the conversation, you look at the three different segments or pillars of the business: the firewall, the SASE, and the SecOps. And, you know, we start with the Gartner growth rates, and we make some adjustments to that based upon our mix within that in terms of virtual firewalls and physical firewalls. You know, but you're looking at about a 7% number there, for that particular part of the business. And then you look at the SASE, and you look at the components of SecOps when you go through the same exercise. And you start getting around to a range of a number that you might be comfortable with, you know, on 12%, let's say.
And there's also the sanity check to it. Do you have the sales capacity to deliver on that 12% number, or are you gonna have to do something more in your OPEX line to build the capacity? And we'll talk about margins, I'm sure.
Yep.
sales productivity because I don't wanna get out, you know, over my skis and assuming that I'm gonna get to a number either on the top line or the margin line, with an unfair assumption about sales productivity. I think we feel very comfortable with that. We look at tenure as well. We talk to our salespeople. We do look at some of the budgets. We'll look at pipeline, but it is a very limited value to us when you're looking that far out.
Mm-hmm.
And you're kinda sitting down and you're sanity checking it. And probably the last thing that we did this time, which was new, was relates to the refresh. And I would not necessarily say that the refresh received a separate line in our 12% number. Rather, the refresh was more about, does it give us comfortable with the, get it more comfort with the 12% number that we provided? And I think that's really how we viewed it at this stage. And part of that, as you go back to, we simply have not had this type of a refresh cycle spike previously. And again, I think we'd like to be a little bit cautious and play this out a little bit more, we, you know, about how we execute and how we deliver against this opportunity and how the upsells and the cross-sells factor into it.
Mm-hmm. Mm-hmm. Absolutely. To your point, just on profitability, I think one of the most surprising points over the last couple of quarters has been just better gross margin, right, particularly on the product line. You know, as I think about it, it felt like some of the higher value that you've delivered in prior years, along with the supply chain-driven costs that have gone down. It sort of felt like those two things combined for that better product gross margin. Maybe the question first of all, is that the right way to think about it? And how do you think about product gross margins going forward as we get into the thick of that product refresh that you just talked about?
Yeah. It's been a product gross margins has been a dynamic world for a couple of years. You know, during the supply chain, we were experiencing expedite fees to some of the component providers and the chip companies, which were not insignificant by any stretch of the imagination. And at the same time, we were looking to accelerate delivery of our products from our contract manufacturers to us. And you saw a lot of our delivery shifting from ocean freight to air freight. And we needed to go through that elevated cost structure that you saw in 2023. And then the third element was really some actions that we took during the supply chain to really provide larger purchase orders and inventory commitments to our contract manufacturers.
Part of that to get us at the front of the line to make sure that we got deliveries. Part of that was to provide working capital to our contract manufacturers because it was a difficult time for them. But then, as you saw that, that supply chain cycle change and shift and move down, you know, I was in a position that I certainly had enough inventory, let's put it that way, and I had more inventory coming. And so you saw us taking fairly elevated charges related to inventory, for in the cost of goods sold line. You know, there was a few quarters there where that was running $40 million or $50 million a quarter, and not insignificant. We told our board at the beginning of this year that we thought we'd be out of the woods by the end of the year. We are.
We probably got there a quarter earlier than we expected, and we also had a little bit of a one-off benefit in some of our negotiations with our contract manufacturers. But now I think you're too. What does that all mean, right, and I think that when you take the information we provided in the analyst here for total gross margin and you reverse engineer it, you know, you're probably gonna see normalized product gross margins stripping out all those one-time effects, of that 65%-67% range, so not giving guidance, but I think that.
No.
That would be how I'm thinking about my business at the moment.
Yeah. No, that's a really helpful, that's a really helpful framework. Maybe, Michael, for you, I mean, you know, as, as founder of the business, I mean, you know, you've seen so many refresh cycles. What's different about this refresh cycle just from your perspective? Open-ended question out of curiosity.
I think it's, you know, in the long run, right? I mean, refresh happens as naturally as it needs to occur. And then, but at some point, it happens in bulk, then some other times. So I think over the long time, you sort of average things out. But on the other hand, we have this unique technology, built the ASIC for our hardware appliances, and that's kind of like chunky. Like, we don't, you know, turn out ASICs like every quarter or every year. But the cycle of that ASIC design is, you know, three to five years.
And when it comes out, it usually brings the performance to a much higher level and at a similar or lower cost because the Moore's Law basically allows us to design these much more complicated ASICs over the time that I think on the one hand, it does address the market needs for, you know, higher speed. It's ever-increasing higher speed, but also a lot more coverage because a lot of traditional stuff, like, for example, like OT, they were basically there was no protection at all. But today, because of the compliance and because the customer realized they were a real threat when these were attacked by, you know, like, people out there, and then they are actually putting the protection around them.
So I think, you know, that refresh helped both increase the coverage as well as keeping up the speed needs for the customers.
Yeah. Yeah. Absolutely. Keith, maybe back to you from a margin perspective. You know, you raised your long-term operating margin target to 30% plus, up from 25% plus prior, right? And you've seen some really impressive outperformance on margins this year, like on product gross margins, right, as we discussed. You know, what's interesting is that your margins are actually higher than 30%, that 30% target right now. And so just maybe begs the question, how do you sort of think about the puts and takes to the 30% given, you know, the need to invest, I mean, the channel that you've built and just the sheer scale of the business?
Yeah. Obviously, there's a significant, I mean, the business model's very attractive whether you look at margins or you look at free cash flow.
Absolutely.
You know, I think that when I talk to my go-to-market leaders and when I talk to my R&D leaders, I think the message is very consistent that we have more to invest, and we should. Now, this normalized a little bit because we're looking at gross margins and operating margins in the fourth quarter, and that tends to be our best quarter each year. But I was pretty open in terms of when we moved that number from 25% to 30%, and you know that I thought we had some room there to invest. I'd like to see us take, you know, whatever our normal margin is for the fourth quarter, if you will. And I'd like to see us invest at least another point in go-to-market.
And I would be liberal also in some of the investment opportunities, particularly as we look at the combination of the refresh cycle and now having the opportunity to sell products that we didn't have five years ago when the products first sold, let's say, whether that's SASE or SecOps. I think there's a significant reason to make investments there. We also talked about the 230 basis points of headwind from the Lacework acquisition. That'll normalize over time, as somebody said earlier today, as you fortify that company, you know, and we bring their structure into it. So I think there's some opportunities there for initial investments. We continue to have a cost of performance or a price of performance advantage, and I expect us to leverage that.
And I think also as we look into certain segments of the market, you know, the large enterprise, for example, we'd wanna be able to make investments not only in our customers, so to speak, as we dislodge them from their incumbents, but into our own sales team and also into our channel partners. So again, I think there's a pretty healthy list there of how I can spend money to.
Yeah.
Not have margins be too high. How's that?
Absolutely. Absolutely. I mean, maybe the last question I'd like to end with here, right? We've been trying to ask all our management teams. It's a really broad and kinda open-ended question, but, you know, as you kinda get into planning for next year, what are you hearing from salespeople and internally to the extent you spend time with customers? How are people feeling about sort of their willingness to invest in security next year? How do you feel about that spending environment? Michael, maybe we start with you.
Yeah. I think security is still among the top of the list for a lot of the enterprise customers. And then I think we see a more interest also from the traditionally, I think, less interested parties like, you know, OT and these areas. They all see the needs for protection and in more use cases. So I think, you know, I'm happy to see that awareness is, you know, spreading.
Yeah. Absolutely. Keith, anything you wanna add to that?
Yeah. I'm probably aligned with Michael. I think the threat environment is and remains so elevated. The volume of resources and the type of resources that the threat actors, be they ransomware or be they nation-states or some other organization, at least from what I'm seeing and feeling, it seems there's so much more being invested targeting companies and going after their data. I think CIOs and CISOs are very, very much aware of that, and they're really looking for, you know, all the technologies they'll need to continue to protect themselves. You know, the nation-states and threat actors aren't encumbered by things like QA and product release schedules and legal niceties and so forth. There's a lot of trial and error out there, and I think it's really, really tough for CISOs and CIOs in this environment right now.
Yeah. Yeah. Absolutely. Well, Michael, Keith, thank you so much for the time. Very educational.
Thank you.
I really appreciate it.
Thank you, sir.
Thank you.
Thank you.